At a glance.
- Unemployment benefit scams.
- The disputed price tag for fixing Missouri's data exposure.
- Ransomware trends.
- Lessons from the Ferrara ransomware attack.
FBI issues guidance on unemployment benefit scams.
The US Federal Bureau of Investigation (FBI) has published a public service announcement warning about fraudulent unemployment benefit websites created by cybercriminals looking to steal personal and financial details in order to commit benefit fraud, harvest private data, or infect victims’ devices. To avoid falling prey to these scammers, the FBI urges citizens to be wary of websites with misspellings, verify the site has a Secure Sockets Layer certificate (indicated by a padlock in the search bar), and ensure their systems are updated and protected with antivirus software.
Missouri school leak has hefty price tag (says the governor).
As we noted last week, a reporter at the Saint Louis Post-Dispatch discovered a bug in a Missouri Department of Elementary and Secondary Education database that exposed the Social Security numbers of over 100,000 school employees. Security Week reports that, according to House Democrats and verified by a spokesperson for Governor Mike Parson, fixing the issue will cost the state up to $50 million. Last week Parson, a Republican, downplayed his administration’s responsibility for the leak, accusing the Post-Dispatch of publicizing the issue just to make headlines and blaming the newspaper for the cost. Instead, Democratic representative Peter Meredith explains, the majority of the money will cover credit monitoring for the breach victims.
Trends in ransomware.
Trend Micro has released a report on the impact of ransomware attacks on over twenty critical industries in the first half of 2021. They investigated over 3.6 million attack attempts and found that banking, government, and transportation were the most targeted sectors, attractive to threat actors due to their wide attack surface. REvil ransomware was among the most detected families, often coupling their attacks with double-extortion techniques, and using spear-phishing emails, remote desktop protocol access, compromised websites, or unpatched bugs as entry points.
Also focusing on ransomware, Armis has published its Ransomware Roll-up, which takes a closer look at the activities of thirteen ransomware gangs (including REvil) in May 2021. By monitoring the gangs’ leak sites, Armis gathered data about the volume, size, industry, and supply chain of the targeted organizations. The Avaddon threat group was active in the greatest number of countries, while Babuk focused on European nations and the US. (Worth noting: Russia does not appear as a target in their data at all.) The Conti gang was the most active attacker, hitting seventy-five victims, followed by Avaddon with thirty-four. Honorable mention for most infamous attack goes to DarkSide, who orchestrated the attack on the Colonial Pipeline.
Candy Corn crisis averted.
The ransomware incident at Ferrara Candy seems not to have affected personal data, as so many double-extortion ransomware attacks do. But the lessons to be drawn from it have implications for organizations that hold private information.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, sees significance in the timing of the attack:
"Part of your cyber resiliency plan must include “worst case scenario” possibilities. Organizations are becoming more aware of highly prevalent threats like ransomware and taking precautions such as shoring up backup and restore strategies. However, attackers are aware of this and other defensive measures and will update their attack methodologies to ensure the highest chance of successfully extorting money from their victims. One such tactic is understanding when is likely to be the victim’s busiest season that can least afford systems downtime and waiting until that has begun to launch their ransomware attack. After all, a compromised business that doesn’t detect the attacker on day 1 is unlikely to detect the attacker on day 90, especially if the attacker is simply waiting for the opportune time to launch their ransomware. By doing so, cybercriminals can make any service disruptions and restoration delays maximally painful to their victim to further coerce them to pay the extortion demand rather than attempt to restore systems or data themselves.
"The answer to such evolving threats remains constant, however. To ensure the best chance of avoiding or quickly catching and stopping an attack before it becomes a widespread issue is to adopt a true culture of security in the organization. It requires proper education for all positions and roles in the organization, both technical and non-technical on the latest threats and best behaviors to remain safe. Further, it entails adopting security hardening standards for systems and applications to minimize internal and external attack surface, the employment of effective security products and services, and continuous monitoring for suspicious behaviors that can indicate that an attack is imminent. Finally, it also requires regular proactive security posture validation through penetration testing or ethical hacking to ensure that no mistakes have been made or potential risks that may have fallen through the cracks exist."
Simon Jelley, ransomware expert and general manager for Endpoint and SaaS Protection at Veritas Technologies, also sees a target of seasonal opportunity: Halloween and Valentine's Day are to candy companies what Black Friday has been to retailers of durable goods:
“This is typical behavior from cybercriminals—they target companies when they’re most vulnerable. In this case, it’s a candy manufacturer at what is likely one of their busiest times of year. Attackers want to create situations where companies feel they have no choice but to pay up.
"This should be a lesson to all companies to be on heightened alert as they approach critical moments in time for their business—whether that be candy companies ahead of Halloween or Valentine’s Day, retailers as Black Friday and Cyber Monday approach, etc.
"The Ferrara attack, like so many others, also highlights that preventing ransomware attacks is a noble effort, but preparation for dealing with the aftermath of a successful attack is more important than ever. Companies need to have a plan in place that includes tried and tested backup capabilities that will allow them to quickly spin up alternative IT environments, with clean versions of their data, so they can return to business as quickly as possible.”